Two California men were charged in a case involving hacking point-of-sale (POS) computers at various Subway restaurants in a newly unsealed indictment on Friday in Boston.

The two suspects are Shahin Abdollahi, aka “Sean Holdt,” and Jeffrey Thomas Wilkinson, both of San Bernardino County, California, east of Los Angeles.

Prosecutors have accused them of hacking at least 13 such POS computers, installing a remote desktop application onto those computers which then they used to falsely load Subway gift cards totaling “at least $40,000.” They are alleged to have then sold those gift cards on eBay and Craigslist.

In September 2012, two Romanians admitted to participating in a similar international scheme involving hacked Subway POS computers, racking up more than $10 million in losses.

Abdollahi and Wilkinson are each charged with “one count of conspiracy to commit computer intrusion and wire fraud, and one count of wire fraud.”

According to the indictment, Subway franchise owners typically buy POS systems from third-party vendors. Abdollahi operated one such company, called “POS Doctor,” and was based in Southern California. He is further accused of selling a POS system with LogMeIn, a remote desktop application, to a Subway franchise in Franklin, Massachusetts, southwest of Boston, as well as others in Wyoming and California.

The indictment also states that Abdollahi “owned and operated one or more Subway restaurant franchises in Southern California, where he gained experience with Subway POS systems and Subway gift cards.”

The case was announced by representatives from the United States Secret Service, and an acting assistant attorney general. Interestingly, one of the prosecutors also includes US Attorney Carmen M. Ortiz for the District of Massachusetts. Ortiz has come under fire in recent weeks for her prosecution of the case against hacktivist Aaron Swartz, which ultimately may have contributed to his tragic suicide.

Cyrus Farivar
Cyrus is a Senior Tech Policy Reporter at Ars Technica, and is also a radio producer and author. His latest book, Habeas Data, about the legal cases over the last 50 years that have had an outsized impact on surveillance and privacy law in America, is due out in May 2018 from Melville House. Emailcyrus.farivar@arstechnica.com//Twitter@cfarivar

Please show me how Ms. Ortiz' prosecution of Mr. Swartz "ultimately resulted in his tragic suicide". Until then, I'll continue to believe that Mr. Swartz' suicide was the result of Mr. Swartz' decision to kill himself.

Please show me how Ms. Ortiz' prosecution of Mr. Swartz "ultimately resulted in his tragic suicide". Until then, I'll continue to believe that Mr. Swartz' suicide was the result of Mr. Swartz' decision to kill himself.

Shame on you Ars.

I cannot fathom any legitimate reason for your exclusion of the two words immediately preceding the phrase you quoted.

I worked as a field engineer for a point-of-sale system company for 7 years, and the local subway franchisees were our second biggest client group. Based on my experience as I worked for that company, I can only say that I'm hardly surprised by any news of a hack involving Subway's POS network.

Behind the crappy 1990s era visual basic interface is a Windows XP Pro computer. Theoretically, all of them are required (by Subway corporate) to be running ESET NOD32. From my experience, compliance whit that mandate hovered around 50% at best. Those stores that didn't buy NOD32 from corporate. And even then, NOD32 (or any other AV solution for that matter) wasn't particularly useful, because the employees were dead-set on doing everything possible to get the terminals infected. Downloading torrents, installing anything and everything, watching porn, browsing facebook, and all sorts of other insanity.

We tried to close some of the infection vectors by using stripped and locked down images of Windows Embedded or Windows Embedded for POS, which worked well. Right up until, Subway's corporate support team -who you needed to deal with in order to get certain things fixed or confirmed as working threw a snit and threatened to de-list us as an authorized vendor if we didn't start using full XP installs. In spite of the fact that XPe or WEPOS ran on the XP kernel and had every service and component necessary to run their software.

I worked as a field engineer for a point-of-sale system company for 7 years, and the local subway franchisees were our second biggest client group. Based on my experience as I worked for that company, I can only say that I'm hardly surprised by any news of a hack involving Subway's POS network.

do they not have any PCI audits ever? I do phone support for point of sale systems, mostly at hospitals and colleges, and people call in all the time because they need help filling out the PCI questionnaire or re-IPing all the stuff to put it on a properly secured and compliant subnet.

Please show me how Ms. Ortiz' prosecution of Mr. Swartz "ultimately resulted in his tragic suicide". Until then, I'll continue to believe that Mr. Swartz' suicide was the result of Mr. Swartz' decision to kill himself.

Shame on you Ars.

I cannot fathom any legitimate reason for your exclusion of the two words immediately preceding the phrase you quoted.

The misquote is disingenuous, but that doesn't negate the fact that there is editorial bias on Ars in regards to the Swartz suicide.

Please show me how Ms. Ortiz' prosecution of Mr. Swartz "ultimately resulted in his tragic suicide". Until then, I'll continue to believe that Mr. Swartz' suicide was the result of Mr. Swartz' decision to kill himself.

Shame on you Ars.

I assume you're also ashamed of yourself deliberately misquoting the article and then reacting to your straw man. Cheap ploy, very cheap.

Please show me how Ms. Ortiz' prosecution of Mr. Swartz "ultimately resulted in his tragic suicide". Until then, I'll continue to believe that Mr. Swartz' suicide was the result of Mr. Swartz' decision to kill himself.

Shame on you Ars.

I assume you're also ashamed of yourself deliberately misquoting the article and then reacting to your straw man. Cheap ploy, very cheap.

Not so cheap that it didn't lead to Cyrus' ninja edit of the article to include the words "may have", which were not present in the original article.

Please show me how Ms. Ortiz' prosecution of Mr. Swartz "ultimately resulted in his tragic suicide". Until then, I'll continue to believe that Mr. Swartz' suicide was the result of Mr. Swartz' decision to kill himself.

Shame on you Ars.

I cannot fathom any legitimate reason for your exclusion of the two words immediately preceding the phrase you quoted.

The misquote is disingenuous, but that doesn't negate the fact that there is editorial bias on Ars in regards to the Swartz suicide.

Please show me how Ms. Ortiz' prosecution of Mr. Swartz "ultimately resulted in his tragic suicide". Until then, I'll continue to believe that Mr. Swartz' suicide was the result of Mr. Swartz' decision to kill himself.

Shame on you Ars.

I assume you're also ashamed of yourself deliberately misquoting the article and then reacting to your straw man. Cheap ploy, very cheap.

Not so cheap that it didn't lead to Cyrus' ninja edit of the article to include the words "may have", which were not present in the original article.

Comments, Cyrus?

Cyrus won't fess up to it. You just got thrown under the bus. Feels good.

I worked as a field engineer for a point-of-sale system company for 7 years, and the local subway franchisees were our second biggest client group. Based on my experience as I worked for that company, I can only say that I'm hardly surprised by any news of a hack involving Subway's POS network.

do they not have any PCI audits ever? I do phone support for point of sale systems, mostly at hospitals and colleges, and people call in all the time because they need help filling out the PCI questionnaire or re-IPing all the stuff to put it on a properly secured and compliant subnet.

The way I remember it, each store/franchise was responsible for its PCI compliance. For our Subway customers, we tried very hard to stay just a hardware vendor so we never really got involved in their PCI compliance program.

The mention that the case shares the same prosecutor of the Aaron Swartz trial is not interesting in the least.

This site needs to cut back on the Aaron Swartz trolling just a touch. He's just a guy that killed himself. It is very rare to blame anyone other than the person that committed suicide for his/her suicide. Aaron Swartz does not get a free pass.

I worked as a field engineer for a point-of-sale system company for 7 years, and the local subway franchisees were our second biggest client group. Based on my experience as I worked for that company, I can only say that I'm hardly surprised by any news of a hack involving Subway's POS network.

Behind the crappy 1990s era visual basic interface is a Windows XP Pro computer. Theoretically, all of them are required (by Subway corporate) to be running ESET NOD32. From my experience, compliance whit that mandate hovered around 50% at best. Those stores that didn't buy NOD32 from corporate. And even then, NOD32 (or any other AV solution for that matter) wasn't particularly useful, because the employees were dead-set on doing everything possible to get the terminals infected. Downloading torrents, installing anything and everything, watching porn, browsing facebook, and all sorts of other insanity.

We tried to close some of the infection vectors by using stripped and locked down images of Windows Embedded or Windows Embedded for POS, which worked well. Right up until, Subway's corporate support team -who you needed to deal with in order to get certain things fixed or confirmed as working threw a snit and threatened to de-list us as an authorized vendor if we didn't start using full XP installs. In spite of the fact that XPe or WEPOS ran on the XP kernel and had every service and component necessary to run their software.

I'm a bit confused here. How did the PC get a browser, bit torrent etc? I'm assuming those programs are not part of the OS and the employees can't load their own software.

I was at a Sweet Tomatoes (Soup Plantation for you socalers) where they were booting the register. I was surprised to see them running Suse linux. But most of the time when I see a register booted it is usually running windows.

It must of been tough seeling those Subway cards in CA. We like Togos.

Aaron Swartz was bipolar which led to him repeatedly making very bad decisions, which led to him being charged with felonies that there is no dispute that he committed. The prosecutor isn't anymore at fault than the computer used to commit the crimes or the legislators that wrote the laws. Killing himself was just the last bad decision. Had he toughed it out he'd have very likely been out of jail in a few years, writing books and doing the talk show circuit. If you want to do something about it, contribute to a mental health organization. Calling out the prosecutors is just self serving rhetoric.

The guy thought that because he could get cards anywhere, that he'd be less able to be traced.

Seems reasonable based on what I've seen.

Most POS systems are managed in small locations on horribly secure networks.

A lot of small shops that have POS have them tied to their consumer grade router, that also has wifi on it, yes I seen this, yes I argued against it, no the owner didn't give a shit. Yes I laughed and wished him good luck. Yes the sales chick was hot, no I didn't order a double expresso whatever the hell they call that fruity shit.

Basically, security is blind these days. There used to be a time where you couldn't / shouldn't and wouldn't be allowed to do crap w/o some kind of legitimate credentials.

Now? Pssh, Security for everyone, just have to set this router password and oh yeah baby, secure now.

I worked as a field engineer for a point-of-sale system company for 7 years, and the local subway franchisees were our second biggest client group. Based on my experience as I worked for that company, I can only say that I'm hardly surprised by any news of a hack involving Subway's POS network.

Behind the crappy 1990s era visual basic interface is a Windows XP Pro computer. Theoretically, all of them are required (by Subway corporate) to be running ESET NOD32. From my experience, compliance whit that mandate hovered around 50% at best. Those stores that didn't buy NOD32 from corporate. And even then, NOD32 (or any other AV solution for that matter) wasn't particularly useful, because the employees were dead-set on doing everything possible to get the terminals infected. Downloading torrents, installing anything and everything, watching porn, browsing facebook, and all sorts of other insanity.

We tried to close some of the infection vectors by using stripped and locked down images of Windows Embedded or Windows Embedded for POS, which worked well. Right up until, Subway's corporate support team -who you needed to deal with in order to get certain things fixed or confirmed as working threw a snit and threatened to de-list us as an authorized vendor if we didn't start using full XP installs. In spite of the fact that XPe or WEPOS ran on the XP kernel and had every service and component necessary to run their software.

I'm a bit confused here. How did the PC get a browser, bit torrent etc? I'm assuming those programs are not part of the OS and the employees can't load their own software.

The terminals (as mandated by Subway)were running a full install of Windows XP; and we couldn't not allow them access to IE, they need it to run their business. We denied access to it from the account the cashiers were supposed to use, but so many of them knew the management account password, or the account was just left logged on. Bored employees could easily exit the POS software, switch accounts or bring up IE and off they went.

I worked as a field engineer for a point-of-sale system company for 7 years, and the local subway franchisees were our second biggest client group. Based on my experience as I worked for that company, I can only say that I'm hardly surprised by any news of a hack involving Subway's POS network.

I worked as a field engineer for a point-of-sale system company for 7 years, and the local subway franchisees were our second biggest client group. Based on my experience as I worked for that company, I can only say that I'm hardly surprised by any news of a hack involving Subway's POS network.

Behind the crappy 1990s era visual basic interface is a Windows XP Pro computer. Theoretically, all of them are required (by Subway corporate) to be running ESET NOD32. From my experience, compliance whit that mandate hovered around 50% at best. Those stores that didn't buy NOD32 from corporate. And even then, NOD32 (or any other AV solution for that matter) wasn't particularly useful, because the employees were dead-set on doing everything possible to get the terminals infected. Downloading torrents, installing anything and everything, watching porn, browsing facebook, and all sorts of other insanity.

We tried to close some of the infection vectors by using stripped and locked down images of Windows Embedded or Windows Embedded for POS, which worked well. Right up until, Subway's corporate support team -who you needed to deal with in order to get certain things fixed or confirmed as working threw a snit and threatened to de-list us as an authorized vendor if we didn't start using full XP installs. In spite of the fact that XPe or WEPOS ran on the XP kernel and had every service and component necessary to run their software.

I'm a bit confused here. How did the PC get a browser, bit torrent etc? I'm assuming those programs are not part of the OS and the employees can't load their own software.

The terminals (as mandated by Subway)were running a full install of Windows XP; and we couldn't not allow them access to IE, they need it to run their business. We denied access to it from the account the cashiers were supposed to use, but so many of them knew the management account password, or the account was just left logged on. Bored employees could easily exit the POS software, switch accounts or bring up IE and off they went.